We discover new interesting malvertising cases on a daily basis.

For instance, on April 30, 2016, Cyphort crawler found that popular US website PerezHilton.com was redirecting users to an Angler Exploit Kit. According to SimilarWeb, PerezHilton.com has half a million visitors every day!

perez11

 

Here is the infection chain in this case:

  start   perezhilton.com
  redirector  som.barkisdesign.com
 Angler EK  aluevalvontamme.kinghornagency.com/[…]3.html?utm_source=perezhilton.com

 

In the screenshot below you can see the IFRAME leading to Angler’s landing page. After browser exploitation, Angler typically drops Bedep malware which will further download and infect the victim’s machine with CryptXXX ransomware.

 barkis11

And here is the screenshot of the JavaScript Angler code.

angler_ss1

 

It looks like som.barkisdesign.com  was also the culprit in the attacks on CBS-affiliated Television Stations that our friends at MalwareBytes blogged about recently

We have seen other popular websites in early May using the same som.barkisdesign.com redirector:

  • www.aporrea.org on May 2
  • www.nowtheendbegins.com on May 2
  • www.lolking.net on May 3

On May 6 we have seen PerezHilton infected again! This time the chain is:

  start   perezhilton.com
  redirector  ox-d.blogads.servedbyopenx.com
 redirector  adserver.adtechus.com
Exploit Kit
over SSL
 https://d1e[..]v.cloudfront.net/[..]82674

 

 Note that this infection is different:

  • different Exploit kit,
  • using redirector from AOL (adtechus.com) 
  • using Amazon Cloudfront CDN to distribute the malware

Malvertising continues to be one of the preferred vectors for attackers to compromise users’ machines with malware. Many users fought back by disabling all advertising to secure themselves. Nearly 200 Million now use Adblock, according to Statista.  In 2015, this form of ad blocking cost publishers nearly $22 Billion dollars. 

 Here is the graphic on the growth of Adblock users.

adblock11

 

 

Malvertising is effective because users tend to trust mainstream, high-trafficked “clean” websites. The attackers abuse this trust to infect them via third-party ad content. 

Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains, and leverage the latest threat intelligence to power these monitoring systems.

We predict that malvertising will continue to rise and we will continue to track malvertising, and will share further updates on this blog.